lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <kyzmstq5dodvgpmd7rge3gtdikbbpauw6fide7vccgii4xtb6n@bwrwjsx4ylmx>
Date:   Thu, 20 Jul 2023 11:56:23 +0200
From:   Michal Koutný <mkoutny@...e.com>
To:     Zheng Wang <zyytlz.wz@....com>
Cc:     shaggy@...nel.org, jfs-discussion@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org, hackerzheng666@...il.com,
        1395428693sheep@...il.com, alex000young@...il.com,
        security@...nel.org
Subject: Re: [PATCH] fs/jfs: Add a mutex named txEnd_lmLogClose_mutex to
 prevent a race  condition between txEnd and lmLogClose functions

Hello Zheng.

On Mon, May 15, 2023 at 05:59:56PM +0800, Zheng Wang <zyytlz.wz@....com> wrote:
> ==================================================================
> BUG: KASAN: slab-use-after-free in instrument_atomic_write include/linux/instrumented.h:87 [inline]
> BUG: KASAN: slab-use-after-free in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
> BUG: KASAN: slab-use-after-free in txEnd+0x2a3/0x5a0 fs/jfs/jfs_txnmgr.c:535
> Write of size 8 at addr ffff888021bee840 by task jfsCommit/130
> 
> CPU: 3 PID: 130 Comm: jfsCommit Not tainted 6.3.0-rc7-pasta #1

Is this still pertinent with the current mainline? (There were some
changes to jfs.)

> Through analysis, it was found that a race condition occurred between two
> functions lmLogClose and txEnd, which were executed in different threads.
> The possible sequence is as follows:
> 
> -------------------------------------------------------------------------
> cpu1(free thread)        |        cpu2(use thread)
> -------------------------------------------------------------------------
> lmLogClose               |        txEnd
>                          |        log = JFS_SBI(tblk->sb)->log;
> sbi->log = NULL;         |
> kfree(log); [1] free log |
>                          |        clear_bit(log_FLUSH, &log->flag); [2] UAF

That looks sane to a by-passer.

> Fix it by add a mutex lock between lmLogClose and txEnd:

It doesn't feel right wrt "lock data, not code" heuristics.
And when I apply that, it turns out there's already jfs_log_mutex.
I'd suggest you explain more why a new lock is needed (if that's the
preferred solutino).

Thanks,
Michal

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ